Home » Virus List
Adware-Adwin
Risk Level 1
 
File Size : 2 KB
File Type : Portable Executable file Win32 EXE
File Name

setup_20016.exe

MD5

68d55f54069c3c00c8785cc2b880226b

SHA1

5ffe83563b6c963e9e06c6a2f807e549b7f58ae4

SHA256

c1d240bd65acdfde0470d88193b070e986dbb3d2a25dabde2a

General information:

* File name: C:\Users\Cognus\Desktop\malware sample\1 (3).exe

Changes to registry :

* Creates value "DisplayName=BB00A800C300A800C800D500C000FA000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\»¨Ã¨ÈÕÀú
* Creates value "UninstallString=C:\Program Files\hmrl\uninst.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\»¨Ã¨ÈÕÀú
binary data=43003A005C00500072006F006700720061006D002000460069006C00650073005C0068006D0072006C005C0075006E0069006E00730074002E006500780065000000
* Creates value "DisplayVersion=V1.0" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\»¨Ã¨ÈÕÀú
binary data=560031002E0030000000
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates value "hmrlqd=nothing" in key HKEY_CURRENT_USER\software\hmrl\huamaorili
binary data=6E006F007400680069006E0067000000
* Modifies value "start page=http://hao.360.cn/?src=lm&ls=n3f17941795" in key HKEY_CURRENT_USER\software\Microsoft\internet explorer\main
binary data=68007400740070003A002F002F00680061006F002E003300360030002E0063006E002F003F007300720063003D006C006D0026006C0073003D006E0033006600310037003900340031003700390035000000
old value "start page=http://go.microsoft.com/fwlink/?LinkId=69157"
binary data=68007400740070003A002F002F0067006F002E006D006900630072006F0073006F00660074002E0063006F006D002F00660077006C0069006E006B002F003F004C0069006E006B00490064003D00360039003100350037000000
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a36211b-1230-11e6-a3ec-806e6f6e6963}
old value empty
* Creates value "kpnv=31000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\hmrl
* Creates value "data=3200300031003600745E350008673900E565000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\hmrl
* Modifies value "SavedLegacySettings=46000000050000000900000000000000000000000000000004000000000000003037294946A8D101000000000000000000000000020000001700000000000000FE800000000000005C05060FE5E5E4920B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A8EE800000000000000000609A3900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=46000000040000000900000000000000000000000000000004000000000000003037294946A8D101000000000000000000000000020000001700000000000000FE800000000000005C05060FE5E5E4920B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A8EE800000000000000000609A3900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "1 (3).exe=B1822B73E5658653895BC5880B7A8F5E0000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\Cognus\Desktop\malware sample
* Creates value "hmrl.exe=B1822B73E56586530000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\Cognus\DefaultBox\drive\C\Program Files\hmrl

Changes to filesystem:

* Creates file C:\Program Files\hmrl\Help360Safe.exe
* Creates file C:\Program Files\hmrl\HmClockDate32.dll
* Creates file C:\Program Files\hmrl\HmClockDate32.exe
* Creates file C:\Program Files\hmrl\HmClockDate64.dll
* Creates file C:\Program Files\hmrl\HmClockDate64.exe
* Creates file C:\Program Files\hmrl\hmrl.exe
* Creates file C:\Program Files\hmrl\hook.dll
* Creates file C:\Program Files\hmrl\KpPopupDlg.exe
* Creates file C:\Program Files\hmrl\riliupdate.exe
* Creates file C:\Program Files\hmrl\RlDateSet.exe
* Creates file C:\Program Files\hmrl\rlimage\cebianback.png
* Creates file C:\Program Files\hmrl\rlimage\leftbtn.png
* Creates file C:\Program Files\hmrl\rlimage\onlineupdate.png
* Creates file C:\Program Files\hmrl\rlimage\rightbtn.png
* Creates file C:\Program Files\hmrl\rlimage\riliamuse.png
* Creates file C:\Program Files\hmrl\rlimage\riliback.png
* Creates file C:\Program Files\hmrl\rlimage\riliclose.png
* Creates file C:\Program Files\hmrl\rlimage\riligame.png
* Creates file C:\Program Files\hmrl\rlimage\riliheath.png
* Creates file C:\Program Files\hmrl\rlimage\rilinoval.png
* Creates file C:\Program Files\hmrl\rlimage\rilisel.jpg
* Creates file C:\Program Files\hmrl\rlimage\rilivideo.png
* Creates file C:\Program Files\hmrl\rlimage\riliweb.png
* Creates file C:\Program Files\hmrl\rlimage\updateback.png
* Creates file C:\Program Files\hmrl\rlimage\updatecheck.png
* Creates file C:\Program Files\hmrl\rlimage\updateknown.png
* Creates file C:\Program Files\hmrl\rlimage\updateuncheck.png
* Creates file C:\Program Files\hmrl\RlPopupDlg.exe
* Creates file C:\Program Files\hmrl\Uninst.exe
* Creates file C:\Program Files\hmrl\weather\0.gif
* Creates file C:\Program Files\hmrl\weather\1.gif
* Creates file C:\Program Files\hmrl\weather\10.gif
* Creates file C:\Program Files\hmrl\weather\11.gif
* Creates file C:\Program Files\hmrl\weather\12.gif
* Creates file C:\Program Files\hmrl\weather\13.gif
* Creates file C:\Program Files\hmrl\weather\14.gif
* Creates file C:\Program Files\hmrl\weather\15.gif
* Creates file C:\Program Files\hmrl\weather\16.gif
* Creates file C:\Program Files\hmrl\weather\17.gif
* Creates file C:\Program Files\hmrl\weather\18.gif
* Creates file C:\Program Files\hmrl\weather\19.gif
* Creates file C:\Program Files\hmrl\weather\2.gif
* Creates file C:\Program Files\hmrl\weather\20.gif
* Creates file C:\Program Files\hmrl\weather\21.gif
* Creates file C:\Program Files\hmrl\weather\22.gif
* Creates file C:\Program Files\hmrl\weather\23.gif
* Creates file C:\Program Files\hmrl\weather\24.gif
* Creates file C:\Program Files\hmrl\weather\25.gif
* Creates file C:\Program Files\hmrl\weather\26.gif
* Creates file C:\Program Files\hmrl\weather\27.gif
* Creates file C:\Program Files\hmrl\weather\28.gif
* Creates file C:\Program Files\hmrl\weather\29.gif
* Creates file C:\Program Files\hmrl\weather\3.gif
* Creates file C:\Program Files\hmrl\weather\30.gif
* Creates file C:\Program Files\hmrl\weather\31.gif
* Creates file C:\Program Files\hmrl\weather\4.gif
* Creates file C:\Program Files\hmrl\weather\5.gif
* Creates file C:\Program Files\hmrl\weather\6.gif
* Creates file C:\Program Files\hmrl\weather\7.gif
* Creates file C:\Program Files\hmrl\weather\8.gif
* Creates file C:\Program Files\hmrl\weather\9.gif
* Creates file C:\Program Files\hmrl\weather\nothing.gif
* Creates file C:\Program Files\hmrl\weather\wsdy.gif
* Creates file C:\Program Files\hmrl\weather\wslzy.gif
* Creates file C:\Program Files\hmrl\weather\wsq.gif
* Creates file C:\Program Files\hmrl\weather\wsw.gif
* Creates file C:\Program Files\hmrl\weather\wsy.gif
* Creates file C:\Program Files\hmrl\weather\wszx.gif
* Creates file C:\Program Files\hmrl\weather\wszy.gif
* Creates file C:\Program Files\hmrl\XLDownload.dll
* Creates file C:\Program Files\hmrl\zlib1.dll
* Creates file C:\ProgramData\572311.ico
* Creates file C:\ProgramData\kpzm.ico
* Creates file C:\ProgramData\wzdq.ico
* Creates file C:\Users\Cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AVZXBMM4\ips1388[1].htm
* Modifies file (hidden) C:\Users\Cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
* Creates file C:\Users\Cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XPC044Z4\hmrlconfig[1].htm
* Creates file C:\Users\Cognus\AppData\Roaming\hmrl\hmrlconfig.ini
* Creates file C:\Users\Cognus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\»¨Ã¨ÈÕÀú.lnk
* Creates file C:\Users\Cognus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\»¨Ã¨ÈÕÀú\»¨Ã¨ÈÕÀú.lnk
* Creates file C:\Users\Cognus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\»¨Ã¨ÈÕÀú\жÔØÈí¼þ.lnk
* Creates file C:\Users\Cognus\Desktop\»¨Ã¨ÈÕÀú.lnk

Network services:

* Looks for an Internet connection.
* Queries DNS "khit.cn".
* Queries DNS "ip.dnsexit.com".
* Queries DNS "www.ip138.com".
* Queries DNS "webservice.webxml.com.cn".
* C:\Users\Cognus\Desktop\malware sample\1 (3).exe Connects to "220.243.228.73" on port 80 (TCP - HTTP).
* C:\Sandbox\Cognus\DefaultBox\drive\C\Program Files\hmrl\hmrl.exe Connects to "104.219.19.53" on port 80 (TCP - HTTP).
* C:\Sandbox\Cognus\DefaultBox\drive\C\Program Files\hmrl\hmrl.exe Connects to "220.243.228.72" on port 80 (TCP - HTTP).
* Downloads file from "khit.cn/soft/azbconfig.ini".
* Downloads file from "khit.cn/soft/kp1configuration.ini".
* Downloads file from "khit.cn/hmrlconfig.ini".
* Downloads file from "ip.dnsexit.com/".
* Downloads file from "www.ip138.com/ips1388.asp?ip=%20IP%20query%20not%20allowed&action=2".
* Opens next URLs:
http://ip.dnsexit.com/
http://www.ip138.com/ips1388.asp?ip=

Process/window/string information:

* Gets user name information.
* Gets input locale identifiers.
* Gets volume information.
* Gets computer name.
* Checks for debuggers.
* Deletes activity traces.
* Enumerates running processes.
* Creates process "null, C:\Program Files\hmrl\hmrl.exe, null".
* Injects code into process "C:\Sandbox\Cognus\DefaultBox\drive\C\Program Files\hmrl\hmrl.exe".
* Enables privilege SeShutdownPrivilege.
* Creates a mutex "OnlyOnehuamaoriliInstance".
* Creates a mutex "Local\!IETld!Mutex".
* Opens a service named "rasman".
* Opens a service named "Sens".
* Enables privilege SeAuditPrivilege.
* Creates a mutex "IESQMMUTEX_0_208".
* Creates process "C:\Program Files\hmrl\HmClockDate32.exe, "C:\Program Files\hmrl\HmClockDate32.exe" , C:\Program Files\hmrl".
* Injects code into process "C:\Sandbox\Cognus\DefaultBox\drive\C\Program Files\hmrl\HmClockDate32.exe".
* Creates a mutex "OnlyOneHMRLInstance".

Additional Information:

How To Remove setup_20016.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where setup_20016.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top